> On 1 Nov 2022, at 12:35, Dumitru Ceara <[email protected]> wrote: > > On 11/1/22 12:40, Abhiram Sangana wrote: >> >> >>> On 21 Oct 2022, at 10:58, Dumitru Ceara <[email protected]> wrote: >>> >>> On 10/20/22 17:34, Abhiram Sangana wrote: >>>> Hi Dumitru, >>>> >>>> Can you please check if the implementation for the proposal looks ok? >>>> Will send out v1 with the review comments and tests. >>>> Also, any ideas how we can selectively create new drop zones for ports. >>>> Currently, I am assigning a new zone for dropped connections to every >>>> port even if its parent LS doesn’t have drop ACLs with labels. >>>> >>> >>> Within a logical switch do we really need a drop zone per port? Isn't >>> it actually enough if we add a "from-lport-drop" and "to-lport-drop" >>> zone for the whole logical switch? That should simplify zone allocation. >>> >> Given that we are committing dropped connections to CT table, a DDOS >> attack can potentially fill up the CT table. We are planning to send >> another patch that limits the number of entries for a given CT zone. >> It is easier to manage the size of CT zones when there is a CT zone >> per port rather than per Logical_Switch. >> > > Ok. To answer your previous question, we could mark the SB.Port_Binding > with an option if there are ACLs applied to the switch containing it and > at least one of those needs drop zones. Even better would be to mark > the the SB.Datapath_Binding but we don't have options there, we'd have > to update the schema. > > I'm not sure if that works for you, what do you think? > > Thanks, > Dumitru
Yes, I think that should work. I will send out a v1 patch with these changes. Thank you, Dumitru. Thanks, Abhiram _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
